Analysis
-
max time kernel
29s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-12-2020 17:20
Static task
static1
Behavioral task
behavioral1
Sample
mal.bin.dll
Resource
win7v20201028
General
-
Target
mal.bin.dll
-
Size
271KB
-
MD5
57ee70462da3c968d4ef8466e2855418
-
SHA1
c653f707d23ea22c65bdc88e6f6a310f83f8cdf8
-
SHA256
e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4
-
SHA512
60aef8af216bad129ebbac1c11804187fa6227ddf5f2836055d59f43318121751ab74df98a6e3fb8b6e7f74fb0c563acbebcbe5ac36c35c89369e4459f29c6c4
Malware Config
Extracted
trickbot
100008
rob33
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
-
autorunName:pwgrab
Signatures
-
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral1/memory/1312-3-0x0000000000250000-0x0000000000288000-memory.dmp templ_dll -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 icanhazip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1724 wermgr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1312 2012 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 1724 1312 regsvr32.exe wermgr.exe PID 1312 wrote to memory of 1724 1312 regsvr32.exe wermgr.exe PID 1312 wrote to memory of 1724 1312 regsvr32.exe wermgr.exe PID 1312 wrote to memory of 1724 1312 regsvr32.exe wermgr.exe PID 1312 wrote to memory of 1724 1312 regsvr32.exe wermgr.exe PID 1312 wrote to memory of 1724 1312 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\mal.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\mal.bin.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken